Assumed that I have written a module for Node.js which I would like to keep private. I know that I can (should) add the line

"private": "true"

to the package.json file, and I also know that I can npm install this module using a file system path or a link to a git repository, including GitHub.

I also know that I can put such a file system path or a link to a git repo into package.json, so that the dependencies part may look somewhat like this:

"dependencies": {
"myprivatemodule": "git@github.com:..."
}

What I now want is not to link to the latest version, but to a specific one. The only possibility I know of is to link to a specific commit using its ID. But this is way less readable and worse maintainable than using a version number such as 0.3.1.

So my question is: Is it possible to specify such a version number anyway and make npm search the git repository for the latest commit that includes this version?

If not, how do you resolve this issue in your projects? Do you live with commit IDs or is there a better solution to this?

If by version you mean a tag or a release, then github provides download links for those. For example, if I want to install fetch version 0.3.2 (it is not available on npm), then I add to my package.json under dependencies:

"fetch": "https://github.com/github/fetch/archive/v0.3.2.tar.gz",

The only disadvantage when compared with the commit hash approach is that a hash is guaranteed not to represent changed code, whereas a tag could be replaced. Thankfully this rarely happens.